Penetration Testing mailing list archives

Re: Research on penetration testing?


From: "SecurIT Informatique Inc." <securit () iquebec com>
Date: Thu, 16 Dec 2004 14:28:14 -0500

The problem probably lies in the fact that to do penetration testing, one simply has to apply the same tools and techniques as any would-be intruder would do, the difference being in the motive and the "get out of jail free" card. These tools and techniques vary greatly depending of the environment to pentest, so it is very difficult to set up one clear course of action that could be determined by research. Also, seeing the success rates of script kiddies (people with little technical knowledge) is a good sign that experienced professionnals should not have much problems to achieve the same success rates with pen-testing. What I mean here is that the technical considerations for performing pen-testing is not the biggest issue right now in computer security research.

In short, a typical intrusion attempt (pen test or not) is made by applying the following steps:
1)information gathering about our target;
2)analysis of this data to determine our best course of action (which services are available on the net, which versions are they, selection of vulnerabilities to exploit); 3)apply one or more exploits as determined in 2) in order to gain unauthorized access; 4)evaluation of the new compromised environment and our progression towards our goal;
5)repeat step 1 to 5 until target is reached.

A typical intrusion attempt usually follows these steps. If you absolutely want to pursue research in the pen test field (aside from discovering new vulnerabilities), I don't see that many options. Maybe you could try to make an automated tools that will perform all these steps automatically (the tools does the info gathering, checks in a database for exploits in this info, then applies the exploit), but I don't know if these kind of software already exists. Close to that are vulnerability scanners, which does the same except that it won't go as far as applying the exploit (it can test the if it is vulnerable to an exploit, but it won't actually exploit the system as if in an intrusion).

Another thing you could look for is a tool that can test software for vulnerabilities like buffer overflows and malformed strings, in order to find unknown vulnerabilities in the software. Mark Litchfield made similar software to test database server software for these kind of vulnerabilities (www.ngssoftware.com).

Other than that, I think that academical research opportunities in the field of pen-testing are pretty limited. A better area for such research IMHO would be the field of intrusion detection/prevention, as this field consists of the other side of the same coin. It is usually the bad guys that "pen-test" networks (notice the ""), and the challenge is to detect all these attempts by relying on proper techniques. Most of the current-day technologies work by knowing in advance the signatures of existing threats, which means that these systems have a problem by design with 0-day exploits and unknown vulnerabilities. I, for one, made much research in this direction (http://securit.iquebec.com), but I'd be happy to see more academics look into it.

Of course, I may be wrong, but seeing how quick the first anwsers were about making research on the ROI of pen-tests, I effectively think that the technical aspects of pen-tests are not such in bad shape in terms of research.

Hope it helps.

Adam Richard
SecurIT Informatique Inc.

At 04:18 PM 15/12/2004, leonardo wrote:
* Monday 13 December 2004, alle 13:56, Rishi Pande scrive:
>
> I do not know if you would like your research to be more technically

it's a pity not to have, as far as I know, a research branch dedicated to
pen-test, under a technical view. I think, technical research on security has
been done in the past much more from vendors than from universities or
research centres, apart from the cryptography field. It wolud be an
intresting discussion the attempt to find a way to introduce pen-testing,
and security in general, as a scientific subject and find a field that can
be researched in a long/middle-term project, as research project shoud be.

as a person working in a university and trying to push this subject in
teaching and research I'm really interested in links, documents, ideas,
activities other people do that can define this.

ciao,
leonardo.
--
GPG fingerprint = 2C20 A587 05AC 42E5 1292  D0D4 3EED CFB5 52FD AD1E
_____________________________________________________________________

Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com

Current thread: